The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards medical device safety, including on the cybersecurity front. The objective is to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.
The FDA also plans to create a document called “Software Bill of Materials” that will be provided for each medical device and will include software-related details for each product. The idea is to help device owners “better manage their networked assets and be aware of which devices in their inventory or use may be subject to vulnerabilities.” Lamar Bailey, Director of Security Research and Development at Tripwire commented below.
Lamar Bailey, Director of Security Research and Development at Tripwire:
“Medical device security is a problem. Many of the hospitals have detailed plans and processes to build out patient and ER rooms with specific devices, all the way down to location in the rooms but there are no plans to update the firmware or software on these devices. It is not uncommon to have multiple versions of the same device at different firmware revisions. Many new models of medical equipment have built-in functionality so that they can be monitored remotely and this has opened up the devices to remote attacks. It is imperative that equipment manufactures keep up with security issues and trends and then feed to their customers in the form of updates and information on why it is important to update.
The medical device community needs to take everything the IT community has learned over the years and institute the best practices for updating devices. Security in healthcare is more than HIPPA.”